02-16-2021 10:11 AM - edited 02-16-2021 10:42 AM
Hi Guys
I'm having an issue where our Server running Redhat 7.6 is hanging due to high cpu and memory usage. the system becomes unresponsive for about an hour - then sometimes goes back to normal or we need to reset it.
I've managed to capture the top information and ampdaemon seems to ramp up along side a database, to me that sounds like the db is getting scanned ? Once this happens it then becomes unresponsive for an hour and no one can login, load goes over 150 (it has 7CPU Processors). Swap also gets eaten up and zombie processes are present (around 8). However when the server becomes respsonive again these are gone (obviously released and parent has been terminated finally).
We have Oracle 12.2 running on it and we were told the server has exclusions on it for certain directories (DB's) but im seeing the following in the ciscodaemon logs:
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@821]:[139630454748928]: Excluding only 0 of 12 paths for file create
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/etc/shadow" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/local/code" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/nsr" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/opt/OV/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/STORE/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/tmp" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u01/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u02/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u03/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u04/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u05/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/var/log" in driver: Operation not supported
Does this mean that the policy is not working and these are not being excluded? Is there a driver or compatibility issue?
I did see on the amp connector page that it says compatibility is 1.9.1+ - however there is a column saying 1.12.5+, does that mean if you are on 1.12 then you should be running at least 1.12.5? or does it mean anything over 1.9.1 will work even if you are on 1.12.3?
We are running 1.12.3.
Thanks in advance for your help.
Thanks
Craig
Solved! Go to Solution.
02-18-2021 12:12 PM
Thanks for the reply.
We got in touch with Cisco Amp Security directly and they told us its a BUG in 1.12.x and that we need to upgrade to 1.13.x+ in order to get rid of the bug. We have done that in SIT and will be doing it in pre-prod and prod shortly but the upgrade seems to have fixed it (fingers Crossed).
02-17-2021 06:59 AM
Hi Craig,
basically this should go via opening a support ticket with TAC.
Briefly there is nothing in the partial log presented. To tune exclusions for Oracle DB or any other application installed:
And this looks like policy exclusion issue, however without support logs we cannot do much here.
To answer your question about compatibility with Redheat 7.6 is AMP 1.9.1 +newer. Your version is good to work with it:
David
02-18-2021 12:12 PM
Thanks for the reply.
We got in touch with Cisco Amp Security directly and they told us its a BUG in 1.12.x and that we need to upgrade to 1.13.x+ in order to get rid of the bug. We have done that in SIT and will be doing it in pre-prod and prod shortly but the upgrade seems to have fixed it (fingers Crossed).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide